Cyber-attack on South Korea may not have come from China after all: regulator

SEOUL Fri Mar 22, 2013 5:21am EDT

1 of 6. Researchers of Hauri, an IT security software company investigating computer viruses, talk at their lab in the company in Seoul March 22, 2013.

Credit: Reuters/Lee Jae-Won

SEOUL (Reuters) - This week's cyber-attack on South Korean broadcasters and banks may not have originated in China after all as the IP address has been traced to one of the victim banks, the communications regulator said on Friday.

But it couldn't rule anything out, it added.

Hackers on Wednesday brought down the networks of three broadcasters and two banks, initially seen as the work of North Korea using its vast army of "cyber-warriors" to cripple computer servers.

Officials in Seoul originally said they had traced the breach to a server in China, a country that has been used by North Korean hackers in the past.

North Korea has threatened to attack both South Korea and the United States after it was hit with further U.N. sanctions for its nuclear test in February.

But the Korea Communications Commission said closer investigation into the attack on NongHyup Bank showed the IP address was a virtual IP address used within the bank for internal purposes.

The IP address by coincidence matched an address registered in China, it said.

The regulator said it could not rule anything out. There were signs the malicious code used came through an overseas route and a single entity was likely responsible for the attack on all six targets.

Wednesday's attack hit the network servers of television broadcasters YTN, MBC and KBS, Shinhan Bank and NongHyup. South Korea's military raised its alert levels in response.

About 32,000 computers were hit, according to the South's state-run Korea Internet Security Agency, adding it would take up to five days to fully restore functions.

It took the banks hours to restore banking services. Damage to the servers of the TV networks was believed to be more severe, although broadcasts were not affected.

North Korea has in the past targeted South Korea's conservative newspapers, banks and government institutions.

The biggest hacking effort attributed to Pyongyang was a 10-day denial of service attack in 2011 that antivirus firm McAfee, part of Intel Corp, dubbed "Ten Days of Rain". It said that attack was a bid to probe the South's computer defenses in the event of a real conflict.

South Korean authorities said Woori Bank was also attacked on Wednesday but was not infected.

North Korea last week complained that its own websites had been hacked, blaming the United States.

(Reporting by Jack Kim and Ju-min Park; Editing by Nick Macfie)

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see
Comments (2)
Tiu wrote:
Cyber attacks could initiate a nuclear missile counter attack being launched in retaliation.
Cyber attacks are also perfectly suited to “False Flag” attacks where an enemy within attacks either itself or its host in order to create a conflict with an external enemy.
Great potential for mayhem, given they could come from anywhere and anyone… with the right knowledge of servers, software and comms.

Mar 22, 2013 6:24am EDT  --  Report as abuse
Professordave wrote:
Shoulda borrowed money from one of them Korean banks I guess. Will South Korea ever distance themselves from their brothers to the North? They SEEM more advanced but in so many ways they are just as paranoid of outsiders. This story seems to repeat itself every few years in Korea. A while ago there was a story about foreign diplomas being faked. After investigation they found that the number of Koreans faking documents was much higher. Then there was the national “epidemic” of foreign teachers molesting their students that lead to cameras in all the classrooms and heavy investigations. What the cameras and investigators found was alarmingly high incidence of KOREAN teachers molesting their students. And no doubt if they continue investigating cyber attacks they will find that a lot of them are based in South Korea where every room has an internet jack and every citizen has 10 devices that are internet capable. In the first two cases, the investigation waned as public outcry ground to a halt. See it’s okay with Korean people if bad things are done to them BY KOREANS, but foreigners don’t have that right by golly! sigh…

Mar 22, 2013 10:37am EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.